Greetings - I am interested in creating a rule that will fire when a previously disabled user becomes enabled. I would want to exclude a newly enabled user resultant of a new account having just been created and, I know it is a stretch, but I would also want to exclude UserEnabled when the account had been locked out then resolved; I'm thinking that counts as UserEnabled, too, but I could be wrong. Perhaps to put it in simpler terms, I'm only interested in accounts that were manually disabled and subsequently re-enabled. Doable?

The problem I see is this: when an account is enabled, there's nothing in the logs that indicates the reason it was disabled. In an account disable event, there is a distinction (lockouts vs. administratively disabled), but unless the disable and the enable happen fairly quickly (within minutes) the LEM's correlation engine isn't going to be a resource friendly way to achieve this.

One thing that might work for you would be:

Create a "DeadUsers" security group and move administratively disabled accounts to that group

Add that group to LEM and use it for a rule correlation, such that "if an account from DeadUsers is enabled, let me know"

The problem then would be if a sneaky admin takes an account out of that group before enabling it, but you could alert off changes to that group (DeleteGroupMember) as well.

Actions

More Like This

Retrieving data ...

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 130,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website,
you consent to our use of cookies. For more information on cookies, see our cookie policy.